I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My “problem” is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example …
Contoller
public ActionResult Test()
{
return View();
}
View
@using (Html.BeginForm())
{
@Html.AntiForgeryToken("Salty!")
}
Output Request #1
<input name="__RequestVerificationToken" type="hidden" value="K1sijFuYvyGUJjGg33OnLjJaU3tFpGFDutRt9TOFSkZ6FcrhJMMQPnOqjIHuTwBXs/sPBXEiE+1qyV9l63nnSO161b+OtLbaBoPC7K3/7wxtnuSY+N0o/fqBgVoDyac4dNVp+OvanKBSrHINKfc3WEg9269BHOJNzFowC6Aeac/afAGTGrBypxUHfqrKVowD" />
Output Request #2
<input name="__RequestVerificationToken" type="hidden" value="mOpP6LMQXnCmjr5/Wdtnhguh3PyZxWj7GWf8LYzZXPKcJBBT+DbAHvynquSD65O0DBw1RKR7DxCNg372ukftCOWms+o75CraMyFMnvjGk7RU+znIQm05eRQvr5H6d/MDyn+0DWm3jLnMBM9GplsgMRqbdAHzSe69/cS2x9A4X/9jFTZQHUWXXHUr0xewF8Rk" />
The keys are different for the same session with the same salt. Do I have a fundamental misunderstanding of CRSF protection? Or is this a new feature?
The anti XSRF token works by encrypting the same random value into a session cookie and onto your form. The session cookies are submited only when you make a post from the form you’ve generated.
This approach also works e.g. on server farms (in a load balancing scenario) where all servers share the encryption key. The validation works only by comparing the decrypted value from the posted form data and the decrypted value from the posted session cookie. This is called the double submitted cookie method.
So it’s pretty normal that each requests gets a different value. This is a nice post about ASP.NET MVC XSRF tokens.